This release is a product update.
- Content updates include new checks for vulnerabilities, patch verification, and compliance with security policies.
- Product updates include performance improvements, bug fixes, and new features.
Support for new PCI-mandated processes
- Three new Payment Card Industry (PCI)-mandated report templates are now available in anticipation of changes to PCI scan processes that take effect on September 1, 2010:
o Attestation of Compliance
o PCI Executive Summary
o Vulnerability Details
- The product now implements the new PCI severity scoring system that replaces the legacy five-point scoring system:
o A High severity score corresponds to a CVSS score ranging between 7.0 and 10.0 and results in a Fail result for a scan.
o A Medium severity score corresponds to a CVSS score ranging between 4.0 and 6.9 and results in a Fail result for a scan.
o A Low severity score corresponds to a CVSS score ranging between 0.0 and 3.9 and results in a Pass result for a scan.
Note that the PCI council now regards certain vulnerabilities as grounds for automatic failure, regardless of the score, because of the exploitation risks they pose to the credit card holder data environment.
Clarification in reports regarding confirmed vulnerabilities
- A bug fix in reports clarifies the status of confirmed vulnerabilities that had been incorrectly identified as "exploited". This clarification ensures that reports provide better information to help you prioritize remediation projects.